
== SSH Overview ==

; Background

http://linux.byexamples.com/archives/297/how-to-ssh-without-password/

If you google <tt>ssh-keygen,</tt> you should find lots of examples sometimes entitled "ssh without password"
for installing a public key on server eg. bizserver for ssh.

; ssh-keygen

In short, we generate a key pair using <tt>ssh-keygen</tt> (or <tt>PuTTYgen</tt> on Windows).

<pre>
$ ssh-keygen -t rsa
</pre>

This creates two files as follows <tt>~/.ssh/id_rsa.pub</tt> (public key), and  <tt>~/.ssh/id_rsa</tt> (private key).

The first is the public key, which we give out to servers e.g. using <tt>scp</tt>, or <tt>ssh-copy-id</tt>.

The private key is install on our workstations.

Since the private key gives access to the remote server to whoever has this key, it is important to protect it with a passphrase. This passphrase is used to encrypt/decrypt the file in which the private key is stored.

; ssh-agent

To avoid the inconvenience of having to enter the passphrase every time ssh requires access to your private key (for a new remote ssh session),
this passphrase can be cached by <tt>ssh-agent</tt>. We use <tt>ssh-add</tt> to activate <tt>ssh-agent</tt> for your session, and add
your decrypted private key info to the agent to use for authentication.
<pre>
[evanx@dev1 ~]$ ps x | grep ssh-agent
26995 ?        Ss     0:00 ssh-agent /bin/bash

[evanx@dev1 ~]$ ssh-add
Identity added: /home/evanx/.ssh/identity (/home/evanx/.ssh/identity)
</pre>

<tt>ssh-agent</tt> is usually started for your shell by default but is inactive until <tt>ssh-add</tt> is invoked,
and this will prompt for the passphrase for the encrypted private key to be cached by <tt>ssh-agent</tt>.

If <tt>ssh-agent</tt> is not running, it can be started as follows.

<pre>
evanx@evanx ~$ ssh-agent bash
evanx@evanx ~$ ssh-add
</pre>

; ssh-copy-id

We append the public key to <tt>~/.ssh/authorized_keys</tt> on servers e.g. using the <tt>ssh-copy-id</tt> command.

The private key you can copy into the <tt>.ssh/</tt> directory on your home Linux PC, or install into putty, your phone etc.

Alternatively you can generate a new public/private key pair on each workstation PC (or smartphone) and repeat the <tt>ssh-copy-id</tt> procedure.

If the <tt>ssh-copy-id</tt> command is not available, you can <tt>scp</tt> the public the key to the server, and manually append it
to <tt>.ssh/authorized_keys</tt> as follows

<pre>
$ cat id_rsa.pub >> .ssh/authorized_keys
</pre>

If you are creating <tt>authorized_keys</tt> you need to <tt>chmod</tt> is as follows.

<pre>
$ chmod 600 .ssh/authorized_keys
</pre>

; Trouble-shooting

Also ensure that your .ssh directory permissions are correct.
<pre>
$ chmod 700 .ssh
</pre>

If you are having problems, run ssh with -vvv option to see debugging info.
<tt>
$ ssh -vvv -p 2200 bizswitch.net
</tt>

If that doesn't give an indication of the problem, we need to look in sshd logs on the server.

On Ubuntu:
<pre>
root@evanx:~# tail /var/log/auth.log

Mar 17 13:48:30 evanx sshd[27543]: Failed password for postgres from 192.168.15.4 port 56867 ssh2
</pre>

On CentOS:
<pre>
root@bizserver ~: tail /var/log/secure

Mar 17 13:50:01 bizserver sshd[2044]: Failed password for invalid user postgres from 192.168.16.191 port 52575 ssh2
</pre>

Finally we can run <tt>sshd</tt> in debug mode using <tt>-d</tt> option.
<pre>
root@bizserver ~: /usr/sbin/sshd -p 2200 -d

debug1: sshd version OpenSSH_4.3p2
</pre>

Then when we <tt>ssh</tt> to that port and view the debugging information that it will output to the console.
<pre>
evanx@evanx:~$ ssh -vvv -p 2200 bizserver
</pre>
